{"id":37,"date":"2015-04-11T15:01:00","date_gmt":"2015-04-11T15:01:00","guid":{"rendered":"https:\/\/www.tech-and-dev.com\/blog\/2015\/04\/11\/forwarding-ip-address-from-varnish-to-apache-on-ubuntu-centos\/"},"modified":"2021-02-22T01:03:50","modified_gmt":"2021-02-22T01:03:50","slug":"forwarding-ip-address-from-varnish-to-apache","status":"publish","type":"post","link":"https:\/\/www.tech-and-dev.com\/blog\/2015\/04\/forwarding-ip-address-from-varnish-to-apache.html","title":{"rendered":"Forwarding IP Address From Varnish to Apache On Ubuntu &#038; CentOS"},"content":{"rendered":"<div dir=\"ltr\" style=\"text-align: left;\">\n<div style=\"clear: both; text-align: center;\"><a style=\"margin-left: 1em; margin-right: 1em;\" href=\"https:\/\/www.tech-and-dev.com\/blog\/wp-content\/uploads\/2021\/02\/varnish-logo.png\"><img decoding=\"async\" title=\"Varnish Logo\" src=\"https:\/\/www.tech-and-dev.com\/blog\/wp-content\/uploads\/2021\/02\/varnish-logo.png\" alt=\"Varnish Logo\" border=\"0\" \/><\/a><\/div>\n<p>&nbsp;<\/p>\n<div style=\"text-align: justify;\">By default, varnish doesn&#8217;t forward the public IP of the visitor to the web server such as Apache or Nginx. This makes it harder to detect the visitors&#8217; real IP and to read the log files since they will all be displaying the server&#8217;s IP.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">To fix this, Varnish has to be configured to forward the real IP to the webserver.<\/div>\n<p><a name=\"more\"><\/a><\/p>\n<h2 style=\"text-align: left;\">Modify Configuration File:<\/h2>\n<p>Modify the Varnish \/etc\/varnish\/default.vcl file:<\/p>\n<blockquote><p>vi \/etc\/varnish\/default.vcl<\/p><\/blockquote>\n<p>Add or un-comment the following:<\/p>\n<blockquote><p>\u00a0sub vcl_recv {<br \/>\nif (req.restarts == 0) {<br \/>\nif (req.http.x-forwarded-for) {<br \/>\nset req.http.X-Forwarded-For =<br \/>\nreq.http.X-Forwarded-For + &#8220;, &#8221; + client.ip;<br \/>\n} else {<br \/>\nset req.http.X-Forwarded-For = client.ip;<br \/>\n}<br \/>\n}<br \/>\n}<\/p><\/blockquote>\n<h2 style=\"text-align: left;\">Install Apache mod-rpaf for Apache below 2.4<\/h2>\n<h3 style=\"text-align: left;\">Install on Debian\/Ubuntu:<\/h3>\n<blockquote><p>apt-get install libapache2-mod-rpaf<\/p><\/blockquote>\n<p>Enable mod-rpaf:<\/p>\n<blockquote><p>a2enmod rpaf<\/p><\/blockquote>\n<div style=\"text-align: left;\">Configure it:<\/div>\n<blockquote>\n<div style=\"text-align: left;\">vim \/etc\/apache2\/mods-enabled\/rpaf.conf<\/div>\n<div style=\"text-align: left;\">&lt;IfModule rpaf_module&gt;<br \/>\nRPAFenable On<br \/>\nRPAFsethostname On<br \/>\nRPAFproxy_ips 127.0.0.1 ::1 <span style=\"color: red;\">xxx.xxx.xxx.xxx<\/span><br \/>\nRPAFheader X-Forwarded-For<br \/>\n&lt;\/IfModule&gt;<\/div>\n<\/blockquote>\n<div style=\"text-align: left;\">Where <span style=\"color: red;\">xxx.xxx.xxx.xxx<\/span> is the IP of the reverse proxy.. or just remove it if you use only 127.0.0.1<\/div>\n<div style=\"text-align: left;\"><\/div>\n<h3 style=\"text-align: left;\">Install on CentOS:<\/h3>\n<p>Unlike Ubuntu, in CentOS, mod rpaf has to be compiled from source.<\/p>\n<blockquote><p>yum install httpd-devel<\/p><\/blockquote>\n<p>Download latest version of mod rpaf (0.6 by the time of this post):<\/p>\n<blockquote><p>wget\u00a0 http:\/\/mirror.trouble-free.net\/sources\/mod_rpaf-0.6.tar.gz<br \/>\ntar zxvf mod_rpaf-0.6.tar.gz<br \/>\ncd mod_rpaf-0.6<br \/>\napxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c<\/p><\/blockquote>\n<div style=\"text-align: left;\">Modify<\/div>\n<blockquote>\n<div style=\"text-align: left;\">vi \/etc\/httpd\/conf.d\/mod_rpaf.conf<\/div>\n<\/blockquote>\n<div style=\"text-align: left;\">and add:<\/div>\n<blockquote>\n<div style=\"text-align: left;\">RPAFenable On<br \/>\nRPAFsethostname On<br \/>\nRPAFproxy_ips 127.0.0.1 <span style=\"color: red;\">xxx.xxx.xxx.xxx<\/span><br \/>\nRPAFheader X-Forwarded-For<\/div>\n<\/blockquote>\n<div style=\"text-align: left;\">Where <span style=\"color: red;\">xxx.xxx.xxx.xxx<\/span> is the IP of the reverse proxy.. or just remove it if you use only 127.0.0.1<\/div>\n<div style=\"text-align: left;\"><\/div>\n<h2 style=\"text-align: left;\">Install mod_remoteip for Apache 2.4 and above on CentOS:<\/h2>\n<p>If you&#8217;re using Apache 2.4 or above, you have to use mod_remoteip instead:<\/p>\n<blockquote><p>yum install httpd-devel<br \/>\nwget https:\/\/svn.apache.org\/repos\/asf\/httpd\/httpd\/trunk\/modules\/metadata\/mod_remoteip.c<br \/>\napxs -cia mod_remoteip.c<\/p><\/blockquote>\n<p>Edit the Apache Configuration file:<br \/>\nUsually located in:<\/p>\n<blockquote><p>vi \/etc\/httpd\/conf\/httpd.conf<\/p><\/blockquote>\n<p>Below:<\/p>\n<blockquote><p>LoadModule remoteip_module\u00a0\u00a0\u00a0 \/usr\/lib64\/httpd\/modules\/mod_remoteip.so<\/p><\/blockquote>\n<p>Add:<\/p>\n<blockquote><p>RemoteIPHeader X-Forwarded-For<br \/>\nRemoteIPInternalProxy\u00a0 127.0.0.1 <span style=\"color: red;\">xxx.xxx.xxx.xxx<\/span><br \/>\nRemoteIPProxiesHeader\u00a0 X-Forwarded-For<\/p><\/blockquote>\n<p>Where <span style=\"color: red;\">xxx.xxx.xxx.xxx<\/span> is the IP of the reverse proxy.. or just remove it if you use only 127.0.0.1<\/p>\n<p>If you want to change the IPs that appear in the log file, scroll down a little bit and change the LogFormat from:<\/p>\n<blockquote><p>LogFormat &#8220;%i %l %u %t &#8220;%r&#8221; %&gt;s %b &#8220;%{Referer}i&#8221; &#8220;%{User-Agent}i&#8221;&#8221; combined<\/p><\/blockquote>\n<p>to<\/p>\n<blockquote><p>LogFormat &#8220;%a %l %u %t &#8220;%r&#8221; %&gt;s %b &#8220;%{Referer}i&#8221; &#8220;%{User-Agent}i&#8221;&#8221; combined<\/p><\/blockquote>\n<h2 style=\"text-align: left;\">Restart Apache<\/h2>\n<p>(Ubuntu\/Debian)<\/p>\n<blockquote><p>service apache2 restart<\/p><\/blockquote>\n<p>(CentOS)<\/p>\n<blockquote><p>service httpd restart<\/p><\/blockquote>\n<p><b>Questions? Please leave a comment below!<\/b><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; By default, varnish doesn&#8217;t forward the public IP of the visitor to the web server such as Apache or Nginx. This makes it harder to detect the visitors&#8217; real IP and to read the log files since they will all be displaying the server&#8217;s IP. To fix this, Varnish has to be configured to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[48,17,24,6,7,4,53],"tags":[],"class_list":["post-37","post","type-post","status-publish","format-standard","hentry","category-apache","category-centos","category-debian","category-linux","category-ssh","category-ubuntu","category-varnish"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/37","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/comments?post=37"}],"version-history":[{"count":2,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/37\/revisions"}],"predecessor-version":[{"id":309,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/37\/revisions\/309"}],"wp:attachment":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/media?parent=37"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/categories?post=37"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/tags?post=37"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}